Authentication

Pro-tip

If you are just going to read public documents, and edit them in the studio, you don't need to worry about authentication.

By default, unauthenticated users have read access to published documents (with certain exceptions). However, if you want to access draft documents or make modifications you will need to authenticate yourself as a project member with write access.

Sanity uses tokens for authentication, which are generated when you log in and then attached to all API requests in the HTTP Authorization header - e.g.:

The content studio handles this for you automatically when you log in, and the command-line tool will generate and store a personal token when you run sanity login.

If you want to run authenticated API requests manually with e.g. curl, you can find your personal API token by running sanity debug --secrets, and look for the "Auth token" value under "Authentication". You then place this in an Authorization header:

Your API token is personal, and gives complete access to the Sanity API as your user. Take care not to share it with anyone, and use robot tokens instead to authenticate from applications and third-party services.

Robot tokens

If you need to authenticate with the Sanity API from an application or third-party service, your should generate a dedicated robot token for it, with appropriate permissions. Using a separate token for each applications makes it easier to replace it or revoke access, if necessary.

You can create new robot tokens in your project's management console. Once a token is generated, it will be displayed exactly once - be sure to make a secure copy of it, since it is not possible to recover the token later (although you can create a new one). You can then use the token in API requests as outlined above.